Invalid cross certification?
dshaw at jabberwocky.com
Wed Apr 9 14:53:43 CEST 2008
On Apr 9, 2008, at 4:25 AM, Werner Koch wrote:
> On Tue, 8 Apr 2008 19:22, dshaw at jabberwocky.com said:
>> Digest algo 11 is SHA-224, which is fairly recent. I believe it was
>> added to libgcrypt somewhere in the 1.3.x development. Does your
> Right, since 1.3.0 (May 2007) but we neded to fixed the ASN OID in
> (Dec 2007) to to an error in the OpenPGP RFC. Given that Libgcrypt
> marked as development and gpg2 was not in wide use we did not put this
> workaround for the changed OID into GnuPG-2:
> /* This code is to work around a SHA-224 problem. RFC-4880
> and the drafts leading up to it were published with the
> wrong DER prefix for SHA-224. Unfortunately, GPG pre-1.4.8
> used this wrong prefix. What this code does is take all
> bad RSA signatures that use SHA-224, and re-checks them
> using the old, incorrect, DER prefix. Someday we should
> remove this code, and when we do remove it, pkcs1_encode_md
> can be made into a static function again. Note that GPG2
> does not have this issue as it uses libgcrypt, which is
> being fixed while it is still a development version. */
> However if you know verify a signature created with a faulty SHA-224
> signature, gpg2 will flag it as bad.
> I hesitate to put the workaround into gpg2 unless more people complain
> about this problem. It would be better to fix the back signature.
> about having gpg print a notice pointing to an online FAQ entry?
I'm trying to persuade myself that doing nothing is the right answer :)
I rather like the FAQ idea, so we could print the notice on any failed
SHA-224 verification? We might want to do that in 1.4.x as well,
actually (with a reminder that we won't be fixing the signatures in
the background forever). That way we could encourage people to fix
the signatures as soon as possible.
I need to check the backsig issuing code in keyedit.c to see how users
can reissue backsigs. It shouldn't be too bad: backsigs live on the
unhashed part of the signature. Maybe --expert could allow the
backsig to be reissued.
More information about the Gnupg-users